Do you need a degree for working in cybersecurity?

Jarox

I have been looking into the field of cybersecurity as a career path and because I'm still a highschool student I was wondering if I'd need a degree to work as a penetrtion tester for example or if there are more important qualification's or alternatives.

Elitis

You can generally get by in Cybersecurity and IT without a degree up until you're about to hit management. And by "get by", I mean spend a few years working your way up the food chain. That said, a lot of people usually get into Cybersecurity after some time in IT. I've heard of people going straight into it by utilizing internships while in school, so that may be a path available as well. As for Pentesting, there are very few exceptions here (and for good reason). The most typical path is usually a few years of IT (including Help Desk) and then a few years doing blue team work. You may be able to go from IT (beyond help desk) directly into a pentesting role, but this isn't extremely common.

JDMurray

Pentesting is one of the InfoSec fields where you are often looked down upon by other pentesters if you have degrees or certs. You find a lot of very smart, creative, and obsessive people who can't hack academics being attracted to pentesting and forming mainstream-education-hating cliques. You see these people en masse at security conferences like DEF CON. They value what you can say and do and have achieved over what paper you have hanging on your cubical wall. You just need to hope the managers that hire pentesters think the same way.

TechGromit

In my opinion some good Certifications will get you a a lot more mileage then a four year degree. College tuition at a 4 year in-state public college is around 11k a year, that's 44k over four years. At this time, each SANS course and certification is $7,800, So say if you had a GCIH, GPEN and  GXPN, the cost would be $23,400, I say that would get you a lot more attention on a resume than a college degree with no certifications. (Assuming no experience for both candidates). In theory you could obtain all three certification in under a year. Also note that a GXPM is a 600 level course, very difficult exam to pass.    

Elitis

JDMurray said:

Pentesting is one of the InfoSec fields where you are often looked down upon by other pentesters if you have degrees or certs. You find a lot of very smart, creative, and obsessive people who can't hack academics being attracted to pentesting and forming mainstream-education-hating cliques. You see these people en masse at security conferences like DEF CON. They value what you can say and do and have achieved over what paper you have hanging on your cubical wall. You just need to hope the managers that hire pentesters think the same way.

Note to self: go to def con before (maybe) getting a degree. 

changlinn

Second what TechGromit said. I am a hiring manager, and have hired plenty of Analysts, admins and recent a penetration tester. The pentester did have a degree, but that wasn't the reason he got the job, it was his OSCP, and active research and extra-curricular training. Most of the Analysts I've hired had degrees, but then again they also had other demonstrated experience and hobbies. I hired internally an analyst recently with no degree, and very little professional experience, but as he was internal we knew about him entering CTF's and the lab he had at home. The problem is often getting past HR or recruiters. For this more often than not, certs are enough except for management and exec levels.
I also had a couple of interns from Masters programs around the place, almost all of them haven't been as good as the recent analyst with no degree.

YarB

Actually, there are many experienced specialists without a degree in the IT-sphere, but they just get weeded out during the application process. It's a competition. Why would a manager hire a person who didn’t bother to go to college when other applicants did? That's why a lot of young inexperienced people work for big companies and get a good salary. This is how it works. If you have the possibility to receive the diploma, it is better to do this. But it's only my opinion. 

E Double U

I have been in Information Security since 2012 and every org I have worked for listed a bachelors as a minimum in the requirements. Not that you need a degree to actually do the job though :-)

beads

We just hired a new pentester for less than $40,000 with certs and education. This person gets to push prewritten scripts all day. Hardly exciting work.

As for the degree and Information Security, cyber being but a small part of security as a whole. You will spend more and more time doing research, writing papers, presentations and memos than just skill based technology. Skills are important but the soft skills: communicating, writing, persuasion, risk analysis and other business skills are also becoming more and more critical to business. This is where a degree is far more important in the long run than certs. Sorry cert lovers but certification doesn't mean what it used to say 10 years ago when I first started an account on the original TechExams board. Today, we can safely say too many exams are dumped or hacked to strictly be taken seriously.

Management in IT is a dying role as well. I see fewer 'managers' but lots of team lead roles reporting to Director level positions. My current consultation has zero managers with everyone, some 450 people, reporting to one director. I see this as being much more common in the future.

In the long run, get your degree or work an entry level job the rest of your career.

TechGromit

YarB said:

Actually, there are many experienced specialists without a degree in the IT-sphere, but they just get weeded out during the application process. It's a competition. Why would a manager hire a person who didn’t bother to go to college when other applicants did?

This is why knowing someone, or getting a recommendation is worth it's weight in gold. For my first position in Cyber Security, I applied for the job as an outside applicant and heard nothing. It wasn't till someone within IT recommended me to the hiring manager my application bypassed the HR circle filing cabinet and I got a chance to interview for the position. I had no college degree or Security related certs at the time, but I had a lot of experience in IT.

TechGromit

E Double U said:

I have been in Information Security since 2012 and every org I have worked for listed a bachelors as a minimum in the requirements.

Don't let that deter you, if you have the experience, these requirements are often waved. The Trick is to get past the morons in HR, often they toss applicants that have CCNP's when the job lists CCNA as minimum requirements.  

E Double U

beads said:

Management in IT is a dying role as well. I see fewer 'managers' but lots of team lead roles reporting to Director level positions. My current consultation has zero managers with everyone, some 450 people, reporting to one director. I see this as being much more common in the future.

I recognize this with my current employer. We are big on DevOps so managers are being replaced by Product Owners and the DevOps teams are becoming self-steering. The PO's might report to a Grid Owner or Lead PO, but they all share the same lead as the developers.